I can finally release my work on Amazon Cognito Ratelimit Bypassing as the fix is now globally deployed. Huge shoutout to James Kettle who discovered this attack vector and made the info public. Let me know what you think in the comments.

RT @MsftSecIntel: We updated our blog with expanded analysis and threat intelligence from newly observed activity by Storm-2603 leading to….

RT @HackingLZ: This might be useful for enumerating the SaaS products companies use, but it was more of an exercise in seeing how many DNS….

RT @stephenfewer: We now have a (draft) @metasploit exploit module in the pull queue for the recent Microsoft SharePoint Server unauthentic….

RT @leak_ix: As promised, our #SharePoint adventure with CVE-2025-53770 and CVE-2025-53771, including payloads and vulnerability checker!….

Had an environment that after blocking access to toolpane.aspx, still works. While rotating keys broke the app. Maybe a viable option to block it in front of your SP or even do it via IIS Rewrite rules. Maybe interesting for <=SP2013 users to go online without a patch.

Update on the SharePoint saga:. First samples seen bypassing AMSI (. Fist samples seen completely operating fileless, still extracting your machine keys. Please do not rely on AMSI nor that files need to be dropped first before shit happens.

RT @Octoberfest73: My take on one of the new FileFix (DropFix?) MOTW bypasses. Awesome to collab with @mrd0x, exciting to see how TTPs can….

RT @leak_ix: Just a heads-up, attackers found a way to leak information, including keys entirely from memory. Checking for "the file" is no….

Added ToolChain check. Reliably works for 2016, partly works for 2019 and Subscription as sometimes only Revision numbers change. Anyways, it is still a first indicator if you see a patch status of January 2025. Added batch support and range support.

Why the fuck was / is MS not mentioning to protect the ToolPane.aspx endpoint at all? Wouldn't that help? Is this breaking fundamental things in SP if it's not externally available?. I mean "people" will now patchdiff a lot. Maybe find bypasses and the shitshow starts all over.

RT @_l0gg: My advice is temporary block ToolPane page. URL contain `ToolPane.aspx` and body contain `MSOTlPn_DWP` parameter. Remember to de….

RT @BlinkzSec: Personally, I am convinced that you should use something like active defense in a company - maybe there is already another n….

That is actually the real exploit. I went through all the decoding and stuff. It finally is the payload that creates spinstall0.aspx which then gets you the machine keys that allow you to craft your own Viewstates.

RT @vxunderground: > whats the r word?. It rhymes with schmansome-schmare.

RT @irsdl: 🚨.1- CVE-2025-53770 is a variant of CVE-2025-49704 - a critical auth bypass in SharePoint's ToolPane.aspx endpoint. It lets atta….

RT @leak_ix: sharepoint.pwned.json.

RT @msftsecresponse: Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePo….

RT @leak_ix: sharepoint.payload.txt.

RT @CISACyber: Malicious actors are exploiting RCE vulnerability CVE-2025-53770 to compromise on-prem SharePoint servers. See our Alert for….

RT @irsdl: Well it was possible to bypass the auth patch easily as even a slash after .aspx would jump the check but .